Update: Included another link to the Video. Thanks, Renke!
Just back from 24C3 where I attended Roger Dingledine’s talk about Tor’s further development plans (Torrent to Matroska-Video: Mirror #1, Mirror #2). He also presented the new development-version of Torbutton which is finally usable. The old Torbutton-plugin had several problems: It had the problem that it presented cookies, history and saved passwords from non-Tor-sessions to Tor-sessions which severely spoiled your privacy; the new development-version of Torbutton has a dedicated cookie-jar for Tor-sessionsand lot’s of other features:

So if you press the Torbutton, it totally isolates all the other non-Tor-sessions (though I don’t recommend to use those tabs), improving your privacy. Before this new plugin was available, I used a separated Firefox-profile to use Tor – not needed anymore with Torbutton.

Well. I was expecting this. You know, there are people taking civil responsibility, running a Tor-node and all they get is nastygrams, kicked-down doors and ultimately, lawsuits.

So, what happened: There’s this German guy, a Tor-operator. In June the police send him a letter telling him that he’s accused of computer fraud combined with unlawful modification of evidences. He’s a law-abiding citizen nothing guilty of, just using his civil rights and quite fed up with all those silly accusations, so he followed Udo’s golden rule #1: “You have the right to remain silent“.

Months later he got a letter from a court order about a penalty order, telling him that he’s guilty on all counts.

He describes it in his own words:

In early September I received a penalty order ("Strafbefehl") - from thecourt. A judge found me guilty of having ordered a gift voucher (value: 51EUR) on amazon.de, providing address details of a living person (but notmyself obviously), and using a Web.de email address registered specificallyfor this purpose. I was sentenced to pay a fine of 500 EUR.

He appealed and the whole case finally went to court, having the hearing today. What happened then is beyond all reason:

[…] the penalty order listed four witnesses (the person whose addressdetails had been used, a police officer in a cow town near that person'shome hometown, a local police officer, and an employee of amazon.de)

However, the trial listed no witnesses at all. That guy was a laymen-judge (lay assessor) himself, so he though that this trial is based on a very weak basis and didn’t bother about it to much. Then all hell broke lose.

The judge and the lawyer of the state realized quite quick that he was not the one who committed the fraud, but instead of dismissing the case entirely they started to construct accusations like “supporting a crime” – which is utter bullshit. The accusation of “supporting a crime” in Germany definitively states that you need to support actively a certain crime – and only especially that you’re accused of. There ain’t nothing like a “general support crime”, as the judge thought. This is just another stunt!

The judge really thought “someone needs to be punished, but we can’t accept you to help anyone else to comit a crime”:

The judge as well as the public prosecutorrefused to accept that I didn't do anything criminal, that I didn't andstill don't want to help anyone committing a crime.

Oh Lord. Where have we gone!?

Even worse. The whole lawsuit was so frightening and cumbersome to the Tor-guy that he decided to dismiss the lawsuit according to §153 StPO. That means that the accusations are dismissed because there’s no public interest in the case. But yet, that doesn’t mean that he wasn’t found NOT GUILTY!

Why did he do this? Because he didn’t want to pay for a lawyer, as I do – but I can afford it:

They offered me to dismiss the actual court trial according to paragraph 153StPO which is not the same as an acquittal (no "Freispruch") which Ieventually accepted. It means, however, that I won't have to pay for thetrial. They also repeatedly said that this time I got off with just a slapon the wrist - next time it wouldn't be that cheap.

It’s all a big mess. Judges and lawyers have no bloody clue what Tor is about. They ignore the fact that Tor is a legal tool in a civil society and that Tor-operators aren’t responsible for the actions of their users. Heck, no one ever sued Pan Am to let the Lockerbie-bombers on board, and no one ever sued the German Postal Service for transporting letter-bombs: Yet German courts think that operators of anomymizing services are responsible for the actions of the users.

Brave new new world. Where have we gone? Our elected leaders ratify laws which are stupid. The judiciary is as dumb as a piece of stale bread. Take me out of here.

Update^4: If you comment doesn’t show up immediately, it probably ended up in the spamfilter (Akismet). As long as the the people keep posting I’ll continue to check the spam-folder regulary and will manually publish the posting. So don’t post twice or even more often. — alex.
Update^2: I want to point out one thing: The investigations about “computer fraud” are not related to the other case. It’s not that they try to find some other accusation to sue me in any case. Lots of people were raising that rumour: It’s not true. — alex.

As you, my regular reader, might now, I run a Tor-server in Germany. I already had some experience with the german Feds, the BKA, regarding the childporn-crackdown earlier this year. I blogged about it and even erlier I wrote a sentence – which was merley a superstition – from which I thought “this can’t possibly happen in Germany”:

“[…] the last thing I want to experience is the police kicking down my door, seizing my computer.”

“My TOR-server is still running, pushing 40GB/day around. I’m not going to shut it down for whatever reason.”

However, I have to retreat from my arguments.

On Sunday morning, 00:15 AM, July the 29th, someone knocked on my door very hard. I just came back from a pub-crawl with a friend from the UK, was quite drunk, opened the door and just heard “Police!”. They entered my appartment, cuffed me and started to search my flat. My wife was scared to death. I was held in my own kitchen for almost 30 minutes asking “WTF is that about?” when they just said “Calm down, we’ll explain everything later”.

Minutes later they explained me that I’m suspected of placing a bomb-threat at a german copper-forum called copzone.de – a forum I never heard about. They accused me of posting shit like “I’ll plant a bomb in the department of work” and that I was about to cut-throat (or something like that, I can’t remember, I was drunk) a worker from that department. (Edit: The posting at copzone.de doesn’t seem to be accessible. Since my lawyer doesn’t have the files yet, I don’t know what exactly was posted. The german police doesn’t hand over the files to the suspect, he has to hire a layer to see the files.)

I explained them that I was a Tor-operator and what Tor is about. I showed them the letters from the Feds from the earlier incident to proove that I’m not bullshitting them. However, the coppers weren’t not so much into Tech-stuff and told me that a forensic unit will care about all my equippment. They searched everything: My attic, my office, my car, they digged through my wifes underwear, they found my old chmistry books very interesting, the flak-vest I own which I use when I go to strange countries, they found the fertilizer which I use for my chilli-plants, my microcontroller-experiments looked like an IED to them: Basically, EVERYTHING was suspicious.

They installed a new lock on my office’s door, although I eplained them that my Tor-server was running in a totally different city, like 500 km away! Funny enough, that server wasn’t confiscated. Ah, and I’m supposed to pay for the new lock. WE’LL SEE ABOUT THAT.

Eventually – after 30 minutes maybe – they took off the cuffs and brought me to the police-barracks for interrogation. I explained there for hours what the hell I’m doing, what Tor is and all the crap. I spare you the details. I was drunk and the interrogation-protocol might be a bit embarrassing for me.

However. Hours later, on the same sunday, someone from the “Staatsschutz” (something like the DHS) of the city of Düsseldorf came to unlock my door, telling me something like “uh, we screwed up, sort of”. That’s not what he said, but that’s the bottomline.

So much for the incident.

The consequences: I’ve shut down my Tor-server. I can’t do this any more, my wife and I were scared to death. I’m at the end of my civil courage. I’ll keep engaged in the Tor-project but I won’t run a server any more. Sorry. No.

Thursday I was still sitting in the car driving through Austria back to Germany when my wife called me up “we have another letter”. This time the accusation is “computer fraud”. I don’t know any details yet, but I’m supposed to show up for interrogation next thursday. My lawyer is informed. Details when I can tell them.

So, so sum up everything: I was arrested. They scared my wife. They consfiscated all my equippment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere. I’m now accused of something else. Horray! Bloody hell. I still love my country, but it’s bitching around.

From my point of view the german police is even more than incompetent++. They aren’t able to do the most simple investigations. Pre-checks for plausibilty don’t exist. This is so stupid.

Ah, and on a sidenote: My lawyer is still waiting for the files of the bomb-threat incident. Although the investigations against me were stopped. Wonderful!

Düsseldorf, September the 16th,
Alex “Yalla” Janßen.

Edit^3: On a sidenote – some people accused me of not knowing what I’m talking about when I said that the police was incompent when it came to this incident. Let me get this straight: I’m qualfied to comment on this, I’m working in the computer security business and I know how to do real investigations. The first thing to check is if the server in question is an open relay or some anonymisation service. So stop this stupid bullshit. Just check the hostname “wormhole.ynfonatic.de” in your favourite search-engine and on the first hits it’s reveiled that this is a Tor-server. You don’t need to be a computer-expert to check on this. Incompetence++.

Hi all, long time no see! Was busy with stuff I’ll explain later; however, I’m currently on the Linuxbierwanderung 2007 in Hersonissos, Crete, Greece. Today I gave my talk about Tor and it’s legal implications for users and operators.

Update: I corrected the broken links. Sorry that I couldn’t do it earlier, but I was sitting in a Landrover Defender 110 driving through the Balkans – which was fantastic and deserves it’s own posting later.

Recently I quit my membership in the German Computer Science Society (“Gesellschaft für Informatik”), mostly because I think they don’t have a real perspective. For years and years I thought that they start to be a bit more pragmatic, but they kept insisting on the “one and only lore”. I know that they’re more about science and teaching, but they didn’t meet my expectations – especially when it comes to software patents. I was recruted by them when I was still a student so I feel quite sore and sorry to leave them – but we weren’t made for staying together.
So I resigned as a member in December, something I actually didn’t want to, for I believe that people like the Bitkom don’t really present us, the hackers, fiddlers and freelancers, in a true sense.The Bitkom is more about big corporate business, the GI more about science and teaching.
Nonetheless, the GI was to far off for me too. They got me as a student, nowadays we’re not aligned any more and they can’t offer me anything.

And there I am, a new proud member of the Free Software Foundation Europe.

What do I want to achieve with it? Not sure yet, but I feel that my contribution – means my membership-fee of 120 EUR a year – is better with the FSFE than with the GI.

My goals? I’d like to establish a TOR legal-fund. Maybe the FSFE is the right platform for it, although I’d be better of with the EFF, but they don’t seem to have a well-organised European chapter. Considering my recent experience with the german Feds and my lawyer’s bill – just a mere 150 EUR though – I started to think how other people with no funds could defend themselves against ill accusations. Rabenhorst said that he doesn’t really agree with me that the Feds did the right thing how to prosecute evildoers who abuse TOR. I’m still not with his opinion since running TOR is one thing and prosecuting child-porn dealers is another one, but others pointed out correctly that there are other people running TOR who don’t have the funds to hire a lawyer as I have.

I can’t promise anything by now, I don’t have a real plan yet; but a TOR legal-fund for us German TOR-operators wouldn’t be too bad.

If you feel inclined to help me out with it, drop me a line, I’d be happy to discuss a legal fund as I have a lawyer handy who might be able to consult us.

I run a TOR-server. Anonymity is not a crime. There are a million reason why you want to stay anonymous on the interweb. Lately there was quite a hassle about seized TOR-servers in Germany and I was waiting for my server to be seized too. Didn’t happen until now. Something quite unexpected happened instead.

On the 28th of December I got a letter from the BKA (Germany’s Federal Criminal Police Office). The content of the letter was something like that:

“The owner of the IP-Address $my_servers_address is suspected of posession of child pornography. Hereby we order you to tell us the real name of the owner and disclose all relevant logfiles according to §113 TKG in the time of the 26th of October, 7:00 PST. We also demand the names of all your customers which use your service and we inform you that disclosing our request to your customers may be punishable.”

Obviously I was a bit scared about the “the owner of the IP-address part” so I hired a lawyer. The overall text was also a bit far-off for my taste, but whatever. My lawyer sent out a fax yesterday to the BKA asking if I, as his client, am a suspect or a witness. He also stated that I’m running a TOR-server and that no relevant log-files according to §113 TKG exist. In case that I’m a suspect he asked for all the files dealing with the investigation.

That was last night, today, about 20 hours later, we already got an reply. The BKA acknowledged, that they understood my lawyer’s statement that the TOR-server does not create relevant logfiles and claimed that this information is enough for their ongoing investigations. Furthermore they say that they need no further “statements” from my side. (which can be read as thanks, we’re fine, but who knows…)

Hm, they finally seem to have come to their senses. They really scared the shit out of my wife and me, believe me. When I started running a dedicated TOR-server I had a chat with my wife and explained her what I’m up to, what TOR is and what consequences it might have – she never thought that this case would ever occur.

I have only two possible explanations why they wrote the letter in that way. Either they thought that I rented the server to someone else – doing business with that dedicated server – or they just wanted to spread fear among the German TOR-operators. Could be either way. However, they were quite polite, not threatening in a direct way. But enough to make me call a lawyer.

However, this is rather an improvement compared to what happened in the last couple of months, LEAs seizing random server without thinking. This LEA thought before taking action, followed the way of investigation what would be obvious to everyone.

TOR-operators in Germany: Don’t let the LEAs scare you. Remember: It’s not you. It’s criminals abusing your service. You’re not the criminals, it’s them. And don’t let the “If you’ve nothing to hide”-argument bother you. It’s us, the citizen, to observe the state, not the state to watch on us. And a hammer doesn’t make the tools-dealer a murder.

A couple of people onthe freenode.net IRC-network asked today the same question: How to get access to freenode using TOR according to their instructions. The real problem is not the methode, but the way how to get to that point. I decided to create a small step-by-step howto.

Overview

To gain access to Freenode using TOR the Freenode-staff wants TOR-users to use their hidden service which can only be accessed after creating an account there. To get an account you need to have a GPG keypair. I’ll describe step by step how to create a keypair.

I got one problem with this website: It is notoriously clipping all pictures to a certain width – if the screenshot isn’t clearly visible, vlick on it to see the complete screenshot. Sorry for that.

Step 1: Download GnuPG for Windows and install it

After downloading it, open the file and follow the installation instructions, clicking next, next next, peck, peck (“even a chicken can install Debian”). When asked for the path, accept the default or note down where you installed it:

Finish the installation through clicking “Next” mucho times. All should be set now.

Step 2: Create a GPG keypair on the Windows-commandline

Now we’re about to create a keypair. This is quite simple, but involves a bit of typing:

Press Start

Choose “Run”

Type cmd

After pressing “OK”, the Windows commandline appears. There you have to change to the correct directory through typing "cd C:\Program Files\GNU\GnuPG". If you did it correctly, typing the command “cd” should yield the result "C:\Program Files\GNU\GnuPG":

Voilá! Now it’s time to create the keypair. To do this, you enter the command "gpg --gen-key" and follow the instructions step-by-step, accepting the defaults, choosing a reasonably secure passphrase to encrypt your private key. Note note or better remember your passphrase, you’ll need it:

Now you created a keypair which is appropriate to use for the Freenode IRC-network. Do not close that window.

Step 3: Create a signed password hash inside the IRC-server

I assume that you already have access to the Freenode-network and that you just want to do “the real thing”. Now, inside your IRC-client, create a hash with the command "/quote makepass <password>" where <password> is your choosen password. I take "schwubbdiwupp" as an example:

Note down the complete hash, whith all dollar- and slash-signs. Even better, copy it to the Windows Clipboard, you need it in the next step.

Step 4: Get Freenode’s key from the keyserver

Since you need to encrypt to the Freenode-staff and sign the message with your key, you need the GPG-key opf the freenode-staff. Just download it with the command: "gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 035D6B1D"

Step 5: Sign your nickname with the hash

The next step signs the hash you just created and your nickname with the GPG private key you created in step 2. Go back to the window where GPG was and enter the following command, replacing my nickname "yalla" and my has "$1$8HQdxmzs$MiTG6Spl1HPb5iB4iIdmb/" with your hash:echo "yalla $1$8HQdxmzs$MiTG6Spl1HPb5iB4iIdmb/" | gpg --gnupg -sea -r 035D6B1D"

It will first ask you for the passphrase you used in step 2 to create your keypair; enter it. Next it will tell you something like: “It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.” – you can safely say “yes” here:

Step 6, prepare email to Freenode:

Copy everything starting from "-----BEGING PGP MESSAGE-----" until "-----END PGP MESSAGE-----" to a file and save it to a safe location. This is the encrypted message with your nickname and hash which you will be sending to Freenode; but you also have to include your public key. This is done by typing the command "gpg --armor --export your@email.address":

Copy and paste this output to a safe location.

Step 7, last step:

No write an email to the Freenode-staff including your public key and encrypted message you’ve created in step 5 and 6.

Conclusion:

OK, this is the hard way to do it, but it’s the prefered way. Hope that helps.